enabling secure ldap samba4

Lukasz Zalewski lukas at dcs.qmul.ac.uk
Mon Aug 23 02:49:26 MDT 2010

On 08/23/2010 07:44 AM, Michael Wood wrote:
> On 22 August 2010 22:03, Matthieu Patou<mat at samba.org>  wrote:
> [...]
>>> Something is still wrong, though.
>> Try ldbsearch it's our tool and we know it works not too bad with s4.
> I'll give it a try.
>>> Doing the following returns the correct results, but then ldapsearch
>>> (sometimes) hangs until I press Ctrl-C:
>>> ldapsearch -ZZx -h host.name CN=Administrator CN
>> We have a bug for similar problem with this bug
>> https://bugzilla.samba.org/show_bug.cgi?id=7218
> Ah yes, that sounds familiar.  I'll also try from another host, since
> that's what I want to be able to do anyway.
>>> In all of these tests I was running ldapsearch on the same VM as Samba
>>> and Samba was running with -i -M single options.
>>> With one of the unfiltered searches it did not hang and did not appear
>>> to send back corrupted results, but still gave the "Can't contact LDAP
>>> server" error.
>>> Any ideas?
>> don't use ldapsearch ?
> Well OK, but I don't believe ldapsearch is at fault.  I suppose it
> could potentially be a bug in the OpenLDAP libs, but I suspect it's
> more likely to be Samba.
>> try with your real programs, if it works then do
>> nothing otherwise use stunnel as we won't fix this bug very quickly as it is
>> a bit touchy !
> The "real program" is a Python script that basically does this:
> userdn = "CN=user,CN=Users,DC=host,DC=name"
> del_entry = (ldap.MOD_DELETE, "unicodePwd", u'"oldpass"'.encode("utf-16-le"))
> add_entry = (ldap.MOD_ADD, "unicodePwd", u'"newpass"'.encode("utf-16-le"))
> modlist = [del_entry, add_entry]
> conn = ldap.initialize("ldap://host.name")
> conn.start_tls_s()
> conn.simple_bind_s(userdn, "oldpass")
> conn.modify_s(userdn, modlist)
> The couple of times I tried it, it did do the modify, but it also hung
> at the end.  This was also from the same machine, though, so I'll give
> it a try from a remote machine, but I must say I won't feel that
> comfortable, even if it does work when I test it.
> I cannot use stunnel as a workaround (by itself), because the above
> ldap_modify_s() is not permitted by Samba unless the connection is
> encrypted.
Have you tried without tls? I have run my password change only with 
gssapi (and i somehow recall that with simple bind too) without the 
tls/ssl (simply because i have not got round setting up the certs stuff) 
and it worked.

> But, there seems to be a bug where the modify is allowed if the
> ldap_simple_bind_s() is done with an admin user.  This seems like a
> bug to me, but would at least allow a workaround.  Actually I would
> need to verify that, because the installation I tested that against
> was a few weeks old.
> By the way, what do you mean when you say "it is a bit touchy"?

More information about the samba-technical mailing list